freebsd开防火墙后无法使用ipv6的dns

其他Linux/Unix/BSD/OSX等发行版讨论
回复
drop
帖子: 14
注册时间: 2018-05-26 19:54

freebsd开防火墙后无法使用ipv6的dns

#1

帖子 drop » 2018-08-01 11:53

当dns为ipv6的时候:

代码: 全选

cat /etc/resolv.conf
nameserver 2001:4860:4860::8888
在没开防火墙的情况下,ping6 google.com和ping google.com都正常。开了防火墙之后,ping6 google.com和ping google.com等了半天都没有响应。

把dns改成ipv4后:

代码: 全选

cat /etc/resolv.conf
nameserver 8.8.8.8
ping google.com就正常了。但用不了ipv6。

请问我防火墙的规则错在哪里了?

代码: 全选

cat /etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

代码: 全选

cat /etc/ipfw.rules
cmd="ipfw -q add"
pif="dc0"

$cmd 00010 allow all from any to any via lo0

$cmd 00101 check-state

$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to any 53 out via $pif keep-state

$cmd 00250 allow icmp from any to any out via $pif keep-state
$cmd 00251 allow icmp6 from any to any out via $pif keep-state

$cmd 00999 deny log all from any to any
头像
astolia
论坛版主
帖子: 6398
注册时间: 2008-09-18 13:11

Re: freebsd开防火墙后无法使用ipv6的dns

#2

帖子 astolia » 2018-08-01 16:33

手动允许echo reply的数据进入试一下呢?

代码: 全选

$cmd 00252 allow icmp6 from any to any in via $pif icmp6types 129
drop
帖子: 14
注册时间: 2018-05-26 19:54

Re: freebsd开防火墙后无法使用ipv6的dns

#3

帖子 drop » 2018-08-02 7:53

astolia 写了: 2018-08-01 16:33 手动允许echo reply的数据进入试一下呢?

代码: 全选

$cmd 00252 allow icmp6 from any to any in via $pif icmp6types 129
发现只需把/etc/rc.firewall里开头这几行搬进去就可以了:

代码: 全选

# Only in rare cases do you want to change these rules
#
# ND
#
# DAD
${fwcmd} add pass ipv6-icmp from :: to ff02::/16
# RS, RA, NS, NA, redirect...
${fwcmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
${fwcmd} add pass ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreachable
${fwcmd} add pass ipv6-icmp from any to any icmp6types 1

# Allow NS/NA/toobig (don't filter it out)
${fwcmd} add pass ipv6-icmp from any to any icmp6types 2,135,136
:Faint
回复